Hard-Coded Password Found in Lenovo File-Sharing App

Lenovo today has patched a number of vulnerabilities that jeopardize private data, which are largely enabled by a simple hard-coded password in a freely available file-sharing application.

The flaws were found in in the Lenovo ShareIT application for Android and Windows by researchers at Core Security’s CoreLabs. The app allows users to share files over Wi-Fi between PCs and mobile devices.

“Lenovo SHAREit for Windows and Android are prone to multiple vulnerabilities which could result in integrity corruption, information leak and security bypasses,” Core Security wrote in its advisory published today; Lenovo SHAREit for Android 3.0.18_ww and Lenovo SHAREit for Windows 2.5.1.1 are vulnerable, the researchers said.

The most pressing issue is the hard-coded password in the Windows version of the app. Core Security said that when the app is configured to receive files from devices, it sets up a Wi-Fi hotspot with the same 12345678 password every time. The updated app removes that default password, but not before it opened the door to another hole that could allow attackers to remotely browse a device’s file system.

“When the WiFi network is on and connected with the default password (12345678), the files can be browsed but not downloaded by performing an HTTP Request to the WebServer launched by Lenovo SHAREit,” Core Security said in its advisory, and also shared the request used to carry out the attack.

Worse, the Lenovo app—both the Windows and Android version—transferred files in plain text over HTTP.

“An attacker that is able to sniff the network traffic could to view the data transferred or perform man in the middle attacks, for example by modifying the content of the transferred files,” Core Security said.

The final vulnerability affects only the Android version of the app, which when configured to receive files, it does so over a Wi-Fi hotspot that is created by the app without a password.

“An attacker could connect to that HotSpot and capture the information transferred between those devices,” Core Security said.

Lenovo has certainly had its share of security difficulties starting close to a year ago with the disclosure of the Superfish pre-installed adware that paved the way to man-in-the-middle attacks.

Another rootkit-like utility was discovered in August. The Lenovo Service Engine that collects some system information and sends it to Lenovo at the time the machine connects to the Internet. But some Lenovo users discovered that even after reinstalling a fresh version of Windows, the LSE software reinstalls itself and prompts users to install another piece of software.

In November, the vendor patched two privilege escalation vulnerabilities in its Lenovo System Update service. Researchers at IOActive discovered the flaws that an attacker can abuse to elevate to admin privileges by taking advantage of a weakness in a password-generation algorithm to guess the username and password of a temporary administrator account.